How to Make Your Network Secure Using Secure Shell Protocol
Nowadays, security is more important than ever. It’s extremely important that user accounts, passwords and hosts are protected from malicious attacks.
Secure Shell Protocol (SSH) is capable of establishing secure encrypted tunnels for carrying data. SSH protocol can be used for remote access to your network devices, for securely transferring files between hosts and even for forwarding application data between workstations.
Various terminal emulators exist that support SSH. Based on my personal experience, SecureCRT and PuTTY are two of the best SSH emulators.
Today I am focusing on how to use PuTTY for establishing SSH remote connections and encrypted data tunnels. If you want, you can download PuTTY for free from www.putty.org.
In this article you can get the necessary steps for configuring and taking advantage of SSH on PuTTY. I also included lots of screenshots to help you along, so let’s get started with configuring PuTTY.
Configuring Basic PuTTY Session Options
After downloading PuTTY, you should set up and store your preferred connections. The steps you need to do this are very easy and straightforward:
- Launch PuTTY application
- On the Session Category specify the IP address of the remote host
- Make sure that the "connection type" is set to SSH. By default SSH uses port 22; if your SSH server is configured to use a different port for SSH then you need to specify the specific port number here
- Give your session a name and press the Save button (e.g. Remote_connection)
You can save as many SSH sessions as you want. The following screen shot presents the necessary configuration:
You always have the option of logging your SSH session. This is often useful when you need to take evidence of your session activity. To do so you need to perform the following:
- Select the Logging option from the left pane
- Specify that you want to log all session output
- Specify the destination file for your logging output
Here is what you’ll see on your screen when you do this:
Configuring SSH Tunnels Using PuTTY
Now, to the interesting stuff …
Once you have set up your secure SSH connection towards your SSH enabled server, you need to configure traffic flows that need to be tunneled over this secure connection.
All your packets will be encrypted and untraceable to network sniffers. In order to use SSH Tunneling, also known as SSH port forwarding, you need to perform the following:
- First of all, you need to choose a free port number on your local machine where PuTTY will listen for incoming connections to triggering the tunneling functionality. Choose a port number greater than 2000. In my example I have chosen port number 3000.
- Afterwards, move to the Connection-SSH-tunnel pane and enter the local port number for the "Source port" and separated by a colon, the destination host IP address and port number into the "Destination": box (e.g. 192.168.10.10:80)
- Make sure the "Local" radio button is selected
- Press the Add button. At this point you should be able to see the details of your port forwarding in the "forwarded ports" text box. Your configuration should look similar to this:
You can add as many forwarded connections as you like. When you finish configuring all your remote connections keep in mind:
- You should resave your session (see the beginning of the article for instructions) to avoid losing your settings. All you have to do is to select the "session" pane and click on the "save" button.
Now you are ready to open your SSH session and use your SSH tunnel!
Bottom Line of Our Sample Configuration
Coming back to my SSH port forwarding example, we are now able to securely connect to the 192.168.10.10 intranet server via our SSH session with the SSH server on 10.10.10.10.
This secured path is chosen when the client machine (local host) initiates a connection using TCP port 3000 as source port, as shown in the following picture. The beauty of all this is that the whole connection is encrypted.
Configuring SSH Proxy Connection Using PuTTY
We’ll now take a look at how we can configure PuTTY to use a secure proxy for sending all HTTP traffic through the SSH tunnel. This way our host identity is not revealed in the Internet.
For achieving this behavior I will use Firefox’s proxy characteristic. But let’s start from the beginning:
- First we will create a new Session called "proxy" specifying the IP address of our trusted SSH server and the port number to use for SSH.
- Then, we will configure the SSH tunnel, through which our HTTP traffic will be forwarded to our proxy server. Again we need to open the Connection-SSH-Tunnels pane on the left hand side and specify the following:
a. Source Port: Specify the source port for forwarding HTTP traffic. I have chosen port 3300 in this example.
b. Destination: Do not specify a remote IP address. Just select Dynamic and Auto.
c. Press the add button: Your configuration will look like the following screenshot:
- Move back to the Session option on the left and save your session.
- Afterwards, we need to configure Mozilla Firefox to act as a SOCKS proxy and to use your encrypted SSH connection.
To do so, you need to launch Firefox and from the Tools menu select Options and then select Advanced. Select the Network tab and press the Settings button on the connection sub-menu.
The connection settings dialog window is now activated and you need to fill in the following:
a. Select Manual Proxy Configuration
b. For SOCKS Host enter 127.0.0.1 or localhost inside the textbox and choose SOCKS v5
c. For the port number specify the same port number you have already configured in your SSH tunnel for the source port, i.e. port 3300.
d. Accept other default settings and press OK
Eventually when you finish your Firefox’s configuration you will end up with a windows similar to this:
Keep in mind that your DNS traffic will not be tunneled through the SSH connection. To force DNS traffic to go through the proxy you should do the following:
- Open a firefox window and in the address bar type About:config. This will take you to the configuration page.
- Scroll down to the proxy configuration and set the network.proxy.socks_remote_dns value to True.
- All your DNS queries will be transmitted via your secure tunnel.
Your settings will look similar with the following:
Keep In Mind …
SSH tunneling is a secure method of encrypting your sessions, especially when you interface untrusted networks. You can secure either individual application traffic or even specific protocol’s traffic.
PuTTY is a free SSH emulator program that can help you secure both your client’s identity and traffic in a functional and persistent way.